The Security Industry and a Look Ahead

As I reflect on the year that has passed and think forward to the year that is to come, Charles Dickens’ timeless words come to mind, “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way.” Can you imagine a more apt description of the times in which we are living and the dichotomy between all of the technology innovation we enjoy and the oppressive cyber threat under which we live?

The best of times...

In 2014, mobile and cloud technologies continued to make our lives more efficient, more productive, and generally better. Mobile is rapidly catching up to PCs as the preferred means of interacting with the digital world – mobile Internet traffic is predicted to account for more than 30% of total Internet traffic by the end of the year (KPCB), which represents a doubling of mobile traffic over the past 18 months. If you eliminate passive Internet traffic like streaming, mobile’s rising dominance is hard to dispute.

Mobile technology itself continued to evolve from being something we hold to being something we wear, with the 2013 buzz around Google Glass giving way to buzz around smart watches in 2014.

But as pervasive as mobile has become, it is nothing in comparison to the Cloud. Upwards of 90% of organizations (CompTIA) and 90% of Internet users (BI Intelligence) are now relying on the Cloud for easy, inexpensive, and ubiquitous access to storage and services. The Internet has evolved from being the connectionto storage and services to being the locationof storage and services.

The worst of times…

Despite technology’s advances, however, the risk of our increasingly digital existence was brutally apparent during yet another “Year of the Breach.” Many retailers and financial services and healthcare organizations experienced damaging breaches in 2014, despite having what were considered strong security programs in place.

The fact that our pool of adversaries extends beyond criminals and hacktivists was further driven home by the growing sophistication and sheer number of nation-state cyber-attacks. For the first time, those dubious nation-state cyber activities began to create real-world diplomatic crises (e.g., the escalating tensions between the U.S. and China).

Speaking of the public sector, the U.S. National Institute of Standards and Technology’s work with industry resulted in the launch of the Cybersecurity Framework, which was a positive step forward in providing a common foundation for intelligently approaching today’s cybersecurity challenges, but little other real progress was made by the world’s governments. The Snowden revelations of 2013 continued to polarize the privacy debate and stymie the critical information sharing legislation we need to collectively secure our companies, industry and economy.

So with that as the backdrop, what can we anticipate in 2015?

1. Nation-state cyber-attacks will continue to evolve and accelerate but the damage will be increasingly borne by the private sector – In 2014, nation states around the world increasingly pushed the boundaries of acceptable cyber assault to control their own populaces and spy on other nation states. With no one actively working on the development of acceptable norms of digital behavior – a digital Hague or Geneva Convention, if you will – we can expect this covert digital warfare to continue. Increasingly, however, companies in the private sector will be drawn into this war either as the intended victim or as the unwitting pawn in an attack on other companies.

2. The privacy debate will mature – We’re beginning to see a softening of the current polarized environment in the U.S. and Europe as people recognize that privacy is under attack from and being defended by a more varied and complex set of actors than the current debates would lead you to believe. It is increasingly recognized that privacy is not a monolithic concept and that it cannot survive apart from security. A more pragmatic, balanced debate about how to secure our privacy will ensue in 2015 and the prospects for responsible privacy policies and intelligence sharing legislation that would better protect our privacy may improve. One test of this prediction will be the outcome of the EU General Data Protection Regulation, which may reach a final form in 2015.

3. Retail is an ongoing target and Personal Health Information (PHI) is next – As a result of the numerous retail and financial services breaches in 2014, organizations who handle payment card data are strengthening their defenses and shortening the window of opportunity for cybercriminals, making them a less lucrative target. Unfortunately, the retail sector is massive and worldwide and will continue to be a target-rich environment. In 2015, however, well-organized cyber criminals will increasingly turn their attention to stealing another type of data that is not as well-secured, is very lucrative to monetize in the cybercrime economy, and is largely held by organizations without the means to defend against sophisticated attacks – personal information held by healthcare providers. Unfortunately, we are likely to see another series of very public breaches before many providers improve their security to effectively deal with these threats.

4. The Internet Identity of Things – Despite the publicity that software and system vulnerabilities receive, they are becoming less lucrative for criminals than social engineering and other more easily executed “trust exploits.” I saw a tweet this year along the lines of, “who needs zero days when you’ve got stupid.” The increase of machine-to-human and machine-to-machine interaction will only exacerbate this situation. As such, the authentication and identity management and governance of who, and with the Internet of Things (IoT), what is accessing our networks and data will be an increasingly critical element of security in 2015. Get ready for the Botnet of Things. When you consider this trend, the strong growth of IoT in the healthcare sector, and my PHI prediction, the ramifications are truly scary.

While we just had a change in the leadership of the U.S. Senate, I’m not hopeful that we will see a lot of change in the prospects for cybersecurity legislation in 2015. Though the subject is of critical importance for the future of all countries, it is complex and progress is difficult in the current geopolitical climate. In the absence of comprehensive legislation, industry regulators will step in to fill the void, creating a patchwork of new, potentially incompatible compliance requirements (Oh goody).

That being said, I am cautiously optimistic about the prospects for collaboration and collective progress in the private sector as companies and industries are recognizing that in the digital world, no one is an island. We’re more like an archipelago and we’re starting to build bridges. The recent growth of industry groups and Information Sharing and Analysis Centers (ISACs) is the proverbial rising tide that lifts all boats. The next step is for us to go beyond information sharing and band together – even across industries – to advocate for and lead the development of strong, global cyber policies. Because if we have learned anything over the past couple of years it’s that if anyone is going to get us out of this mess, it’s going to have to be us. May we all continue to make progress together in building a trusted digital world in 2015.

Sincerely,

Art Coviello

About the Author: Art Coviello is Executive Vice President, EMC Corporation and Executive Chairman, RSA, The Security Division of EMC.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.